1. Field of the Invention
The present invention relates generally to the field of information leak prevention. More specifically but not exclusively, the present invention deals with methods for an efficient and accurate analysis of information dissemination events.
2. Description of the Related Technology
Information and knowledge created and accumulated by organizations and businesses are, in many cases, their most valuable assets. Unauthorized dissemination of intellectual property, financial information and other confidential or sensitive information can significantly damage a company's reputation and competitive advantage. In addition, private information of individuals inside organizations, as well as private information of clients, customers and business partners may include sensitive details that can be abused by a user with criminal intentions
Apart from the damage to both business secrecy and reputation, regulation within the US and abroad poses substantial legal liabilities for information leakage: Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley act (GLBA) and the privacy-protecting laws of various states and nations imply that the information assets within organizations should be monitored and subjected to an information protection policy in order to protect client's privacy and to mitigate the risks of potential misuse and fraud.
One of the major challenges in preserving the confidentiality of information and knowledge in modern organizations and businesses is information leaks caused by an authorized user. It turns out that such events of unauthorized dissemination of information, especially via e-mail, are prevalent and happen in many large organizations almost on a daily basis.
An important aspect of information leakage events by authorized users is the variety of motives, intentions and disposition used in leakage of the electronic information. For example the leakage may be caused by an honest mistake (e.g., using the “reply to all” instead of the “reply” option in the email client may result in sending confidential information to an unauthorized recipient outside the organization), by an attempt to “bending the rules” (e.g., working on a confidential document at home) or from a malicious attempt of information dissemination motivated by greed or anger.
Handling events of unauthorized dissemination of electronic information in the business environment is extremely demanding because modern organizations produce immense amounts of electronic traffic and it is essential, on the one hand, to maintain the legitimate flow of electronic information undisturbed while, on the other hand, the confidentiality of the information must be maintained. In many cases, deciding whether the information in a particular case is indeed confidential is a difficult and subjective task, and the trade-offs between risking the confidentiality of the information versus disturbing an important business process are far from being clear. In this respect, the question of motivation of the information dissemination becomes important. If the dissemination event is either part of a legitimate (yet problematic) business process or an innocent mistake of the sender, it may be best handled by the sender himself. On the other hand, if the motive for the dissemination is malicious, it is probably better to block the dissemination without letting the sender know about it.
Current attempts to monitor and enforce policies with respect to electronic information dissemination are, in general, substantially agnostic to motives. This lack of understanding of motives induces less than optimal event handling.